Nevada’s 80th Legislative Session passed, and the state's governor has approved Senate Bill 220, which prohibits the operator of a website or online service from selling certain collected consumer information in Nevada if directed by the consumer. Separating itself from the California Consumer Privacy Act, SB 220 is one step of a multi-step approach to Nevada’s privacy legislation.

The law was developed to work with Nevada’s existing privacy and security laws, following concerns over the transparency of third-party data sales in the state. The law provides consumers who reside in Nevada with the ability to opt out of data sales. Unlike the CCPA, SB 220 is not comprehensive, does not provide proportional service for data collected, and does not contain an explicit anti-discrimination clause for individuals who choose to opt out. 

Definitions

An operator as defined in the Privacy and Security of Personal Information Chapter of the Nevada Revised Statutes (603A) is a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service, purposefully directs its activities toward the state, consummates some transaction with the state or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes a sufficient nexus with Nevada to satisfy the requirements of the constitution.

SB 220 amends “operator” to exclude a third party that operates, hosts or manages a website or online service on behalf of its owner, financial institution or their affiliates subject to the Gramm-Leach-Bliley Act; an entity that is subject to the provisions of the Health Insurance Portability and Accountability Act; or a manufacturer of motor vehicles or person who repairs or services motor vehicles.

The term “sale” is defined as the exchange of covered information for monetary consideration by the operator to a person (inclusive of businesses) to further sell or license the covered information to additional persons. This does not include the disclosure of covered information by an operator:

  • To a processor on behalf of the operator.
  • To a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.
  • To a person for purposes consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.

Under SB 220, the following are excluded from the definition of “sale”: the disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.

A “designated request address” is an electronic mail address, toll-free telephone number or website established by the operator for the purpose of accepting and processing “verified requests” from consumers. A “verified request” is submitted by a consumer to an operator for the purposes of opting out of data sales. The authenticity of the request and the identity of the consumer must be able to be reasonably verified by the operator.

Covered information is defined in NRS 603A.320 as any one or more of the following items of personally identifiable information about a consumer collected by an operator through a website or online service maintained by the operator:

  • A first and last name.
  • A home or other physical address that includes the name of a street and the name of a city or town.
  • An electronic mail address.
  • A telephone number.
  • A social security number.
  • An identifier that allows a specific person to be contacted either physically or online.
  • Any other information concerning a person collected from the person through the internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.

What the bill does

Operators that collect specific personally identifiable information must provide a notice on their website containing information on their privacy practices must also provide a “designated request address” for consumers to submit “verified requests” directing the operator not to make any sale of any covered information the operator has collected about the consumer. Operators that have received a verified request are prohibited from selling any covered information and shall respond to every verified request within 60 days after receipt and may not extend the response by more than 30 days if the operator determines the extension as reasonably necessary. If an extension is sought, the operator must notify the consumer.

Enforcement of SB 220 rests with the attorney general. If the attorney general believes that an operator has violated NRS 603A.340 or SB 220, the attorney general may institute appropriate legal proceedings in district court. The district court may issue either a temporary or permanent injunction or impose a civil penalty of no more than $5,000 per violation.

This bill goes into effect Oct. 1.